Over three quarters of companies in the UK, France and Germany have not yet recognised the value of two-factor authentication
Yubico, the leading provider of hardware-based authentication solutions, today released the results of a comprehensive study on the adaptability to IT security needs in a time of global hybrid work. It was examined how well corporate security is observed in the home office and how appropriate training and support is provided for employees. For the study, 3,006 employees, company owners and C-level executives in large companies (250+ employees) in the UK, France and Germany who had worked from home at any given time using company-owned equipment were surveyed.
Poor password hygiene is also a problem: 54% of all employees use the same passwords for multiple professional accounts, and 41% of company owners still remember passwords by writing them down
The results of the study provide insight into the use of corporate devices for private purposes, password sharing, remembering corporate passwords, the use of two-factor authentication (2FA) and other security aspects. At the same time, the results demonstrate how companies react to the current situation.
The data make it clear that users have only taken inadequate security precautions on official devices since the start of the pandemic. The company owners and C-level executives proved to be the biggest offenders. At the same time, organizations are failing to implement the cybersecurity best practices required for off-site environments. Less than a quarter of respondents say they have implemented 2FA at all since the pandemic began. And even those who have done it often use less secure and less user-friendly forms of 2FA such as mobile authentication apps and one-time passcodes via SMS.
Stina Ehrensvärd, CEO and Founder of Yubico
“The study shows that many companies are still finding their way in these new, mostly virtual working environments. While this flexibility may offer new opportunities for businesses and employees, don’t ignore the growing cybersecurity risks that come with it, ” says Stina Ehrensvärd, CEO and Founder of Yubico . “Threat actors are always finding new and innovative ways to break through corporate defenses, which requires modern security solutions such as the YubiKey. A Google User provisioning study highlights the remarkable benefits and ROI of hardware-based authentication with the YubiKey, as well as the standardization work we’ve been driving.”
The main results of the survey:
- 54% of all employees use the same passwords for multiple business accounts. 22% of respondents still write down passwords to keep track – including 41% of company owners and 32% of C-level executives.
- 42% of respondents admit that they use business devices for private purposes every day when working in the home office. Of these, 29% use the devices for banking and shopping, and 7% admit to watching on them offers of illegal streaming services.
- Among the biggest offenders are those in senior roles: 44% of company owners and 39% of C-level executives admit that they have been doing private tasks on their business devices every day since they started working in the home office. Almost a quarter (23%) of company owners and 15% of C-level executives even use the devices for illegal streaming/television.
- A year after the pandemic began and home office policies were introduced, 37% of employees across all industries have still not received cybersecurity training for telecommuting. This makes companies highly vulnerable to the changing risks.
- 43% of all employees think that cybersecurity is not a matter for the workforce, and almost two-thirds (60%) believe that IT teams are responsible for this. However, the available data suggests that the IT departments do not meet the expectations of employees. Only 37% of employees feel they are now better supported by the IT department than when working in the office, where the IT security team was in close proximity.
- At the same time, there is also a lack of a supportive top-down safety culture. This causes employees to feel more anxiety or stress in the event of IT or security problems. 51% of respondents often try to solve their IT problems themselves, rather than turning to the IT department. And 40% would not immediately inform the IT department if they clicked on a suspicious link.
- Although 2FA technology is the best defense measure against account hijacking, only 22% of respondents say their company has adopted two-factor authentication since the pandemic began.
- Even of the companies that have implemented 2FA, only slightly more than a quarter (27 %) issue FIDO-compliant hardware security keys, which provide the most advanced form of phishing protection. The others rely on more vulnerable and outdated solutions such as mobile authentication apps (54 %) and one-time passcodes via SMS (47 %).
In Germany, some of the employees have taken a stricter approach to security in the wake of the pandemic. While the total daily private use of work equipment increased, it fell from 42% to 34% among those who had already worked from home before the pandemic. This suggests that this group is more aware of the increased risk.
Just as with the overall answers, the answers from Germany also show that the company owners lack security: A quarter of German company owners admit to using professional devices for illegal streaming.
Only 35% of respondents say they have received cybersecurity training from their employer. Half of all C-level executives did, but only a quarter of entry-level employees did.
Patching is also a patchwork: important updates on work devices are greatly neglected. On average, only 11% of respondents keep their work equipment up to date, along with another 27% of home workers.
In addition, the respondents from Germany are overly sure that they would recognize a phishing attempt: 71% of all employees said that they were very sure or rather sure of it.
The main habits of employees:
- Daily private use of official devices: before Covid 21% ; since Covid 30 %
- The most important private activities on business devices: reading articles 48 %; social media 40 %; administration 34 %; banking 31 %; shopping 31%; gaming 19 %
- Daily professional use of private devices: before Covid 19%; since Covid 28 %
- Allow third parties to use a device: company owner 90%; C-level 65 %
- Feeling more vulnerable to cyber threats while working from home: 36 %
- Feeling unsupported by the IT department: 32 %
- Cybersecurity training for teleworking completed: 35% say yes
- Immediate reaction to clicking on a suspicious link while working: 59% inform the IT department as soon as possible; 18% ” ask Google“
- Remember professional passwords: 23% write them down; 21% use a password manager; 12% save them as a document on the device; 8% use the same password for multiple accounts
- Would use the same login for a professional account again after a security breach: 21 %
- Would never share the password for official emails: 69%.
- Are sure to detect phishing attempts: 71 %
- Would it be less terrible if professional credentials were stolen from you than personal information: 63%
To learn more about the study, you can register for the upcoming Yubico webinar “State of cybersecurity in Europe during the Covid-19 crisis ” on June 29 at 8 p.m.
The study was conducted by the independent market research company Censuswide from February 19 to March 3, 2021. The survey surveyed 3,006 employees of large companies (250 + employees) in the UK, France and Germany who had worked from home at some point and had service devices. Censuswide follows the rules of the Market Research Society and employs members of the society. The Market Research Society works on the basis of the ESOMAR principles.